Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2008-03-23

In what's become a weekly ritual, I sit here on Sunday in my comfy athletic wear, putting off all things necessary to begin my day by reading my RSS feeds because I know what comes next is work - this week, six formal mathematical proofs for a cryptography class I'm fighting my way through. This week, as with many, I found yet another fantastic blog: Emergent Chaos. Brilliant in both concept and content, I highly recommend it to anyone whose interest draws them to my blog.

While thoroughly enjoying the recent posts, I came to a realization that should be self-evident to me a long time ago: the difference between blogs I find useful and useless, and the resultant impact to my own blogging. For me, a useful blog contributes something new - something I can't find anywhere else. A blog that simply reinforces a belief I already have by making the same argument I've heard over and over again, or one that simply rehashes analysis I'm already familiar with, does not expand or enlighten my mind. The more different, the better. And as I discover more and more fantastic blogs that expand my mind, I find it harder and harder to contribute my own content to the universe of knowledge on the web. How can I possibly contribute to such a vast body of information?

While this is the first explicit self-realization I've had of this nature, it helps me explain to both myself and the few who read this blog my history of unpredictable posting - sometimes frequent, sometimes rare; sometimes technical, sometimes philosophical. While I cannot be sure that everything I write will be unique, that is my goal, and hopefully it makes this blog predictably useful in the blogroll of the global internet.

2008-03-17

The information security industry has once again topped itself with stupid names for overly-categorized attacks: we now have "whaling," described as "super-personalized attacks targeted at high-level corporate employees" by CSO Online. The only way I can explain the recurrence of a new, unnecessary, and increasingly silly term every 2-3 months is as a cheap crutch for vendors and media to keep the hype alive. That's not to say the threat landscape is highly fluid and evolving quickly, but come on, does every minor twist need a new buzzword? Maybe I'm behind the curve, but this is the first I've seen this term.

I can't help but to think that some level of attention to detail in the message being conveyed and a bit of effort in understanding the audience would go a lot further in educating the public on the seriousness of the threat than overclassification that, in the end, only serves to confuse.

That's it, I'm creating a few new tags to track this: "overclassification" and "publiceducation."

2008-03-12

A first century philosopher meets the Advanced Encryption Standard in 21st-century American body art realized as hex... with a very slick typeface. Ciphertext starts at the front of the shoulder and progresses downward. Enjoy.

2008-03-11

My roommate, a lawyer for EPIC, recently filed a complaint with the FTC about companies that sell spyware on the premise that it, well, lets you spy on people. This is a novel approach to tackle a serious problem that aggravates the current explosion of malicious software on the internet.

More relevant to his motivations, this was specifically filed in an attempt to raise awareness and combat the use of spyware by men stalking and harassing women. Imagine what a powerful weapon this would be for a jealous ex or predator. The perpetrators already have figured this out. Legally, this is a gray area. Prosecutors are hesitant to pursue cases given the lack of precedent, and that means law enforcement is hesitant to build a case. While the legal system goes through the long and painful process to figure out the ground rules on this type of software (it has its uses - investigators will use this type of software legally to build cases with appropriate legal authority), people are suffering. By claiming unfair trade practices, as EPIC has, attention is drawn to the issue, and hopefully vendors will stop encouraging troubled individuals to break the law through their advertising.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.